🚨 CVE-2023-33999
Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in WPVibes WP Mail Log allows DOM-Based XSS.
This issue affects WP Mail Log: from n/a through 1.0.2.
🎖@cveNotify
Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in WPVibes WP Mail Log allows DOM-Based XSS.
This issue affects WP Mail Log: from n/a through 1.0.2.
🎖@cveNotify
Patchstack
Cross Site Scripting (XSS) in WordPress WP Mail Log Plugin
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
🚨 CVE-2026-34033
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Apache Answer.
This issue affects Apache Answer: through 2.0.0.
User-supplied content was included in notification emails without proper escaping, allowing authenticated users to inject arbitrary HTML into emails sent to other users.
Users are recommended to upgrade to version 2.0.1, which fixes the issue.
🎖@cveNotify
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Apache Answer.
This issue affects Apache Answer: through 2.0.0.
User-supplied content was included in notification emails without proper escaping, allowing authenticated users to inject arbitrary HTML into emails sent to other users.
Users are recommended to upgrade to version 2.0.1, which fixes the issue.
🎖@cveNotify
🚨 CVE-2026-45487
Time-of-check time-of-use (TOCTOU) race condition in Program Compatibility Assistant Service allows an authorized attacker to elevate privileges locally.
🎖@cveNotify
Time-of-check time-of-use (TOCTOU) race condition in Program Compatibility Assistant Service allows an authorized attacker to elevate privileges locally.
🎖@cveNotify
🚨 CVE-2026-45586
Improper link resolution before file access ('link following') in Windows Collaborative Translation Framework allows an authorized attacker to elevate privileges locally.
🎖@cveNotify
Improper link resolution before file access ('link following') in Windows Collaborative Translation Framework allows an authorized attacker to elevate privileges locally.
🎖@cveNotify
🚨 CVE-2026-45588
Protection mechanism failure in Windows Secure Boot allows an authorized attacker to bypass a security feature locally.
🎖@cveNotify
Protection mechanism failure in Windows Secure Boot allows an authorized attacker to bypass a security feature locally.
🎖@cveNotify
🚨 CVE-2026-45592
Integer overflow or wraparound in Windows Internet (wininet.dll) allows an authorized attacker to elevate privileges locally.
🎖@cveNotify
Integer overflow or wraparound in Windows Internet (wininet.dll) allows an authorized attacker to elevate privileges locally.
🎖@cveNotify
🚨 CVE-2026-45593
Use after free in Windows SDK allows an authorized attacker to elevate privileges locally.
🎖@cveNotify
Use after free in Windows SDK allows an authorized attacker to elevate privileges locally.
🎖@cveNotify
🚨 CVE-2026-41848
Applications may be vulnerable to a Regular Expression Denial of Service (ReDoS) attack if an attacker is able to provide a pattern which is then directly or indirectly supplied to one of the following methods in AntPathMatcher: match(String pattern, String path), matchStart(String pattern, String path), extractUriTemplateVariables(String pattern, String path).
Affected versions:
Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.
🎖@cveNotify
Applications may be vulnerable to a Regular Expression Denial of Service (ReDoS) attack if an attacker is able to provide a pattern which is then directly or indirectly supplied to one of the following methods in AntPathMatcher: match(String pattern, String path), matchStart(String pattern, String path), extractUriTemplateVariables(String pattern, String path).
Affected versions:
Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.
🎖@cveNotify
CVE-2026-41848: Spring Framework Denial of Service via AntPathMatcher
Level up your Java code and explore what Spring can do for you.
🚨 CVE-2026-41852
A vulnerability in Spring Expression Language (SpEL) evaluation logic allows for arbitrary zero-argument method invocation, even within restricted or read-only contexts, which may allow an attacker to invoke unintended application logic.
Affected versions:
Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.
🎖@cveNotify
A vulnerability in Spring Expression Language (SpEL) evaluation logic allows for arbitrary zero-argument method invocation, even within restricted or read-only contexts, which may allow an attacker to invoke unintended application logic.
Affected versions:
Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.
🎖@cveNotify
CVE-2026-41852: Spring Framework Arbitrary Method Invocation in SpEL Expressions
Level up your Java code and explore what Spring can do for you.
🚨 CVE-2026-42986
Use after free in Microsoft Graphics Component allows an authorized attacker to elevate privileges locally.
🎖@cveNotify
Use after free in Microsoft Graphics Component allows an authorized attacker to elevate privileges locally.
🎖@cveNotify
🚨 CVE-2026-42987
Use after free in Windows Deployment Services allows an unauthorized attacker to execute code over a network.
🎖@cveNotify
Use after free in Windows Deployment Services allows an unauthorized attacker to execute code over a network.
🎖@cveNotify
🚨 CVE-2026-42989
Improper link resolution before file access ('link following') in Winlogon allows an authorized attacker to elevate privileges locally.
🎖@cveNotify
Improper link resolution before file access ('link following') in Winlogon allows an authorized attacker to elevate privileges locally.
🎖@cveNotify
🚨 CVE-2026-42991
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Push Notifications allows an authorized attacker to elevate privileges locally.
🎖@cveNotify
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Push Notifications allows an authorized attacker to elevate privileges locally.
🎖@cveNotify
🚨 CVE-2026-41844
A Spring MVC or Spring WebFlux application which configures a mapping for "/**" where the view name is not explicitly specified allows an attacker to craft a link resulting in a 302 redirect to an arbitrary external host via the redirect: prefix.
Affected versions:
Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.
🎖@cveNotify
A Spring MVC or Spring WebFlux application which configures a mapping for "/**" where the view name is not explicitly specified allows an attacker to craft a link resulting in a 302 redirect to an arbitrary external host via the redirect: prefix.
Affected versions:
Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.
🎖@cveNotify
CVE-2026-41844: Spring Framework Open Redirect in Spring MVC and WebFlux
Level up your Java code and explore what Spring can do for you.
🚨 CVE-2026-41845
Due to incorrect escaping, the use of JavaScriptUtils.javaScriptEscape() may lead to JavaScript code injection in the browser, potentially resulting in a cross-site scripting (XSS) vulnerability.
Affected versions:
Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.
🎖@cveNotify
Due to incorrect escaping, the use of JavaScriptUtils.javaScriptEscape() may lead to JavaScript code injection in the browser, potentially resulting in a cross-site scripting (XSS) vulnerability.
Affected versions:
Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.
🎖@cveNotify
CVE-2026-41845: Spring Framework Cross-site Scripting via JavaScriptUtils
Level up your Java code and explore what Spring can do for you.
🚨 CVE-2026-41846
Spring MVC applications which accept user-supplied values in the cssClass, cssErrorClass, or cssStyle attributes of JSP form tags allow arbitrary HTML/JavaScript code injection, potentially resulting in a cross-site scripting (XSS) vulnerability.
Affected versions:
Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.
🎖@cveNotify
Spring MVC applications which accept user-supplied values in the cssClass, cssErrorClass, or cssStyle attributes of JSP form tags allow arbitrary HTML/JavaScript code injection, potentially resulting in a cross-site scripting (XSS) vulnerability.
Affected versions:
Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.
🎖@cveNotify
CVE-2026-41846: Spring Framework Cross-site Scripting via JSP Form Tags
Level up your Java code and explore what Spring can do for you.
🚨 CVE-2026-41847
Spring WebFlux applications may be vulnerable to a security bypass when using the Kotlin Router DSL.
Affected versions:
Spring Framework 5.3.0 through 5.3.48.
🎖@cveNotify
Spring WebFlux applications may be vulnerable to a security bypass when using the Kotlin Router DSL.
Affected versions:
Spring Framework 5.3.0 through 5.3.48.
🎖@cveNotify
CVE-2026-41847: Spring Framework Security Filter Bypass in WebFlux Kotlin Router DSL
Level up your Java code and explore what Spring can do for you.
🚨 CVE-2026-42903
Null pointer dereference in Windows Kerberos allows an authorized attacker to deny service over a network.
🎖@cveNotify
Null pointer dereference in Windows Kerberos allows an authorized attacker to deny service over a network.
🎖@cveNotify
🚨 CVE-2026-42904
Heap-based buffer overflow in Windows TCP/IP allows an unauthorized attacker to elevate privileges over an adjacent network.
🎖@cveNotify
Heap-based buffer overflow in Windows TCP/IP allows an unauthorized attacker to elevate privileges over an adjacent network.
🎖@cveNotify
🚨 CVE-2026-41006
Spring HATEOAS's internal PropertyUtils.createObjectFromProperties method, used by the Collection+JSON and UBER media type deserializers, performs bean property binding via reflection without consulting Jackson access-control annotations.
Affected versions:
Spring HATEOAS 1.5.0 through 1.5.6; 2.3.0 through 2.3.4; 2.4.0 through 2.4.1; 2.5.0 through 2.5.2; 3.0.0 through 3.0.3.
🎖@cveNotify
Spring HATEOAS's internal PropertyUtils.createObjectFromProperties method, used by the Collection+JSON and UBER media type deserializers, performs bean property binding via reflection without consulting Jackson access-control annotations.
Affected versions:
Spring HATEOAS 1.5.0 through 1.5.6; 2.3.0 through 2.3.4; 2.4.0 through 2.4.1; 2.5.0 through 2.5.2; 3.0.0 through 3.0.3.
🎖@cveNotify
CVE-2026-41006: Spring HATEOAS Collection+JSON/UBER deserializers do not honor Jackson configuration
Level up your Java code and explore what Spring can do for you.
🚨 CVE-2026-41007
Spring HATEOAS maintains an unbounded static cache of StringLinkRelation instances keyed on attacker-supplied strings.
Affected versions:
Spring HATEOAS 1.5.0 through 1.5.6; 2.3.0 through 2.3.4; 2.4.0 through 2.4.1; 2.5.0 through 2.5.2; 3.0.0 through 3.0.3.
🎖@cveNotify
Spring HATEOAS maintains an unbounded static cache of StringLinkRelation instances keyed on attacker-supplied strings.
Affected versions:
Spring HATEOAS 1.5.0 through 1.5.6; 2.3.0 through 2.3.4; 2.4.0 through 2.4.1; 2.5.0 through 2.5.2; 3.0.0 through 3.0.3.
🎖@cveNotify
CVE-2026-41007: Spring HATEOAS heap exhaustion through unbounded internal caching
Level up your Java code and explore what Spring can do for you.